Join Us at the Black Hat CISO Event at Mandalay Bay on August 5 RSVP Now.×
Home » Spin.AI Blog » Cybersecurity » What to Know About the New SEC Cybersecurity Disclosure Rules
February 6, 2024 | Reading time 6 minutes

What to Know About the New SEC Cybersecurity Disclosure Rules

Avatar photo

Product Manager

The Securities and Exchange Commission (SEC) announced new additions to rules around disclosing cybersecurity risk management, strategy, governance, and incidents for public companies. If you’re one of the almost 9,000 public companies operating under SEC rules (or preparing to be publicly traded) or an interested investor, you may want to learn these new rules and its impact on the cybersecurity industry. Our cybersecurity expert at Spin.AI, Will Tran, summarizes what these changes mean and how to prepare your organization for a new era of disclosure and transparency.

What are the SEC cybersecurity disclosure rules? 

On July 26, 2023, the SEC introduced new cybersecurity disclosure rules. These were intended to provide transparency to investors around the cybersecurity risks faced by public companies. 

SEC Chair Gary Gensler states, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The new amendments to these original rules now require disclosure of material cybersecurity incidents. Public companies are now required to disclose a cybersecurity incident within 4 days of determining that the incident is material (material meaning anticipated to have a substantial impact on the company’s finances, operations, or business). (Source

Item 1.05 – Disclosing material cybersecurity incidents

“This requires registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.”

Item 106 – Risk Management and Strategy

“The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats… [and to] describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”

What does this mean?

Item 1.05 is a step in the right direction for adding structure and transparency around cyber security incidents. However, there is still a gray area when it comes to determining which incident is “material”. 

For example, JPMorgan Chase recently reported it defends itself against 45 billion hacking attempts every single day. So how does one determine which attacks are material? When assessing materiality, the company must develop and implement a structure that considers both the qualitative and quantitative consequences of the incident, including the incident’s potential impact to the company’s business operations, customers, and reputation.

Item 106 elevates the importance of cybersecurity within a company by bridging the possible gap between its board of directors and executive leaders with the company’s CISO. According to a Harvard Business Review research, less than half of board members regularly interact with their company’s CISOs; and nearly a third of them only see their CISOs at board presentations. With Item 106 in place, a company’s board of directors and executive leaders are now expected to have oversight into the company’s cybersecurity processes and risks. 

Just as important, Item 106 also requires companies to disclose their practices for addressing cybersecurity threats. This forces CISOs to continuously reassess their existing tools and processes to effectively combat the evolving and persistent cybersecurity threats.

When do these rules go into effect?

The new SEC rules were announced in mid-2023 and implemented in late-2023. While these rules have been known for some months, investors have just begun to see how publicly traded companies are reacting to these new rules. Last week, major technology companies – Alphabet (Google), Amazon, Meta, and Microsoft – released their annual earnings report, which complied with the new SEC rules. How did they respond?

Each company complied to the new SEC rules by providing an overview of their cybersecurity-related risk management and strategy. However, some were notably more detailed and transparent than others for the two new SEC rules. For example, in compliance with Item 1.05 – Disclosing material cybersecurity incidents, Microsoft revealed an incident involving a nation-state threat actor who used a password spray attack to compromise a legacy test account and gain unauthorized access to email accounts. For another example, in compliance with Item 106 – Risk Management and Strategy, Meta shared its third-party assessment (TPA) process, which assesses potential cybersecurity risks by collecting security controls from Meta’s major contractors who have privileged data and system access. 

How can SpinOne help? 

As an all-in-one SaaS security solution, SpinOne helps prevent and manage cybersecurity incidents within mission-critical applications. SpinOne provides complete visibility and context of cybersecurity incidents related to ransomware, data leak, and data loss to help customers evaluate the materiality of these incidents.  

The most notable element of the new SEC rules is the shift in culture around cybersecurity. Placing a spotlight on the importance of cybersecurity shifts companies into an essential mindset that is both aware of potential threats and urgently prioritizes a holistic cybersecurity strategy. Learn more here about how SpinOne can help.

Was this helpful?

Thanks for your feedback!
Avatar photo

Written by

Product Manager at Spin.AI

Will Tran is the Product Manager at Spin.AI, where he guides the product's strategic direction, oversees feature development and ensures that the solution solves his clients’ cybersecurity needs.

Will is a security professional who started his career at Lockheed Martin where he worked on National Security Space programs in business development and product management.

Will holds a BA in Economics and Mathematics from UCSB and an MBA with a specialization in Technology Management and Marketing from UCLA Anderson School of Management.

At Lockheed Martin, Will developed the multi-year strategy campaign and supported the product development of a national security satellite program for the United States Air Force, which resulted in a multi-billion dollar contract.

During business school, Will consulted 2 non-profit organizations as part of a series of national consulting case competitions. He set strategic priorities, optimized business operations, and developed a process to qualify new revenue streams for his non-profit clients. These initiatives resulted in 15-20% increase in annual surplus.

In his spare time, Will can be found at local coffee shops around Los Angeles, traveling to different countries, or hanging out with his cat.

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Mastering Disaster Recovery – Best Practices in 2024

From natural calamities to cyber threats and system failures, organizations face numerous challenges that can...

Avatar photo

Product Manager

Read more
SaaS backup and application governance

Expert Insights: SaaS Backup and Application Governance (Part 3)

Welcome back to our blog series on SaaS data protection. Part 1 focused on data...

Avatar photo

Former Gartner Analyst, Backup & Recovery

Read more

Protecting Your SaaS Environment: Insights from the Snowflake Incident

High-profile breaches are in the news more than ever before. However, data breaches are no...

Avatar photo

Product Manager

Read more